We reminded you last month that companies sponsoring large health care plans must comply by April 14 with the new Health Insurance Portability and Accountability Act (HIPAA). Smaller plans must comply by April 14, 2004.
But don't be sloppy with medical information, even if HIPAA doesn't apply to your company until 2004, or ever. Reason: Other existing federal laws put the responsibility for securing employees' medical data squarely on your shoulders.
The Americans with Disabilities Act (ADA) privacy protections apply to medical documentation you receive to support employees' leave requests. That's why you should limit access to medical documentation to only those who need to know: your occupational health office (if your company has one), and supervisors and HR staff when needed to approve leave or consider reasonable accommodations.
Recent case: When an HIV-positive postal worker requested leave under theAct ( ), he followed company policy by submitting a doctor's note describing his illness. When he returned to work, his HIV status had become common knowledge among co-workers.
He sued for invasion of privacy under the Privacy Act (which applies only to the federal government) and Rehabilitation Act (which is legally identical to the ADA and applies to private-sector employers with at least 15 workers).
A lower court sided with the Postal Service, saying his submitting of the medical info was voluntary because he didn't have to take. But a federal appeals court rejected that argument and let the case go to trial. It said the doctor's note amounted to a medical "inquiry" by the employer, so the information fell under the Rehabilitation Act's confidentiality provision. (Doe v. United States Postal Service, No. 01-5395, D.C. Cir., 2003)